Hewlett Packard Enterprise Product Security Vulnerability Alerts

Hewlett Packard Enterprise incorporates IT industry best practices during the product development lifecycle to ensure a strong focus on security. HPE engineering and manufacturing practices are designed to meet product security requirements, protect HPE intellectual property, and support HPE product warranty requirements.

When a new industry-wide security vulnerability is released, HPE investigates its product line to determine the impact. For impacted products, Security Bulletins will be published. These bulletins will contain impacted product versions and the resolution (patch, upgrade, or configuration change).

On 22 August, Apache announced a vulnerability in Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 can suffer from Remote Code Execution in the context of the application. Struts 2 is used several HPE products. To learn more about CVE-2018-11776, To learn more about CVE-2018-11776, see the MITRE CVE Dictionary and NIST NVD.

On 14 August 2018, Intel disclosed new vulnerabilities that impact processors which are supported on certain HPE platforms. These vulnerabilities, when exploited for malicious purposes, have the potential to allow the improper gathering of sensitive data.

These vulnerabilities use a speculative execution side-channel method which Intel is referring to as L1 Terminal Fault (L1TF). At the time of disclosure, Intel was not aware of any reports that L1TF has been used in real-world exploits. Intel had released updated microcodes earlier in 2018, and which HPE subsequently has already made available via System ROM updates. These updated microcodes, when coupled with new operating system and/or hypervisor software updates which are now being made available, provide mitigation for these vulnerabilities.

Intel has communicated that there is a portion of the market, principally a subset of those running traditional virtualisation technology in data centres, where it may be advisable to take additional steps to protect systems. This may include enabling specific hypervisor core scheduling features or choosing to disable hyper-threading in specific scenarios. Consult recommendations of OS and Hypervisor vendors.

On 21 May 2018, an industry-wide vulnerability was disclosed that involves modern microprocessor architectures. Based on new security research, there are software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed. At this time, this vulnerability is known as Speculative Store Bypass or Variant 4 (CVE-2018-3639). While this vulnerability shares many similarities with the recently disclosed Side-Channel Analysis Method, or Spectre and Meltdown, this is a new vulnerability requiring new and unique mitigations.

The Speculative Store Bypass or Variant 4 vulnerability impacts microprocessor architectures from multiple CPU vendors, including Intel, AMD and ARM. To address this vulnerability, hardware and software vendors from across the industry, including HPE, have been working together to develop mitigation strategies. Mitigation for Intel-based products requires both OS updates and System ROM updates including a new Intel microcode. Mitigation for AMD-based products only require an OS update.

In addition, on 21 May 2018, another vulnerability was disclosed referred to as Rogue Register Load or Variant 3A (CVE-2018-3640) that allows an attacker to improperly access processor registers. This vulnerability impacts Intel-based products only. Mitigation for this vulnerability requires only a System ROM update including a new Intel microcode. The same microcode required for mitigation of Speculative Store Bypass or Variant 4 will also mitigate Rogue Register Load or Variant 3A.

On 13 March 2018, CTS Labs publicly released information regarding research into security vulnerabilities impacting some AMD products. In terms of HPE Servers, the relevant vulnerabilities impact the AMD Secure Processor (PSP) utilised in the AMD EPYC 7000 Series processor used on the HPE ProLiant DL385 Gen10 and HPE Cloudline CL3150 Gen10 servers. No other HPE server products are impacted by these potential vulnerabilities.

HPE is working with AMD to determine the extent of the vulnerability, and what precautions might be needed to mitigate any exposure. Fortunately, the new HPE DL385 Gen10 product ships with all the new HPE security features, including the HPE Silicon Root of Trust. This new HPE technology protects against typical denial of service or permanent denial of service conditions that might be caused by one part of this vulnerability.

As HPE, working with AMD, learns more information, we will update our communications. In addition, please reference the following statement published by AMD on 20 March.

Recently, Side-Channel (Spectre & Meltdown) security vulnerabilities involving speculative execution were publicly disclosed. These vulnerabilities may impact the listed HPE products, potentially leading to information disclosure and elevation of privilege. Mitigation and resolution of these vulnerabilities may call for both an operating system update, provided by the OS vendor, and a system ROM update from HPE. Intel provided an initial high level statement here.

In addition, we are alerting our customers to an Intel statement published on 22 January 2018 regarding issues associated with the Intel microcode patch designed to address the Side-Channel Analysis vulnerability. Intel recommends that customers stop deployment of the HPE ProLiant, HPE Synergy, HPE Superdome Flex and HPE Superdome X System ROMs that include the updated microcode and revert back to the previous version of System ROM. The impact assessment linked below has been updated accordingly. Please reference the HPE Customer Guidance Pack and HPE Customer Advisory for additional details about this issue. Please note that the HPE ProLiant DL385 Gen10 with the AMD microcode update is working as designed and has mitigated the risk associated with the Side Channel Analysis vulnerability.

Recently, one of our suppliers, Intel, discovered a potential security vulnerability in their Server Platform Services (SPS) firmware. The security vulnerability affected several of their processor architectures; however, not all of the impacted Intel server processor architectures are used in HPE products. Specifically, the SPS/ME firmware used in Intel’s architecture can be compromised using physical access. As a result, non-authenticated code may be executed in the SPS environment outside of the visibility of the user and operating system administrator.

These vulnerabilities are not unique to HPE servers and will affect any systems using Intel’s identified processor architectures with impacted firmware revisions.

The REST Plugin in Apache Struts2 is using a XStreamHandler with an instance of XStream for deserialisation without any type filtering which could lead to Remote Code Execution when deserialising XML payloads. An attacker could use this flaw to execute arbitrary code or to conduct further attacks.

To learn more about CVE-2017-9805, see the MITRE CVE dictionary and NIST NVD.

On 12 May 2017, a ransomware attack was deployed by unknown actors against Microsoft Windows clients. The attack caused PCs and servers to be encrypted as part of a ransomware type of Denial of Service attack. On 14 March 2017 Microsoft released MS17-010, a patch which addresses the vulnerability. Additional information about this vulnerability is available from Microsoft - MS17-010 and from NVD - CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0147, CVE-2016-0148.

On 1 May 2017, Intel disclosed a new vulnerability in their Intel Manageability Firmware which is utilised on some systems containing Intel processors. This vulnerability allows an unprivileged network or local attacker to gain control of the remote manageability features of Intel Active Management Technology (AMT), Intel Standard Manageability (ISM) and Intel Small Business Technology (SBT) platforms. Additional information about this vulnerability is available at CVE-2017-5689.

On 6 March 2017, Apache disclosed a new vulnerability in Apache Struts 2. The vulnerability allows remote code execution when performing file upload using the Jakarta multipart parser used in Apache Struts 2. This flaw allows an attacker to send invalid content-type HTTP header as part of the file upload request which could result in execution of arbitrary code on the vulnerable system. If exploited, the attacker can steal critical data and/or take control of the affected system. Additional information about this vulnerability is available at CVE-2017-5638.

On 19 October 2016, a privilege escalation vulnerability in Linux kernel was disclosed. A race condition was found in a way the Linux kernel’s memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. This flaw allows an unprivileged local user to gain write access to otherwise read-only memory mappings and thus gaining increased privileges on the Linux kernel. This vulnerability is referred to as “Dirty COW”. Additional information about this vulnerability is available at CVE-2016-5195.

On 15 August 2016, a vulnerability referred to as “FalseCONNECT”, in the implementation of HTTP 407 (proxy authentication required) for the CONNECT method was disclosed. Since these requests are always made in plain text over HTTP, they are susceptible to man-in-the-middle attacks that may be leveraged to expose user credentials, and in some implementations, render HTML and scripts in the client DOM within a security context. The injection as well as tampering of 407 authentication headers in the context of the CONNECT method can subject a user to phishing as well as authentication downgrade attacks. Additional information about the vulnerability is available at CERT VU#905344.

On 18 July 2016, a vulnerability in the handling of HTTP_PROXY environment variable by web servers, web frameworks, and programming languages that run in CGI or CGI-like environments, referred to as HTTPoxy, was disclosed. The vulnerability stems from using user-supplied input to set the HTTP_PROXY environment variable without sufficient validation. This vulnerability could allow an unauthenticated, remote attacker to perform man-in-the-middle attack (MITM) or redirect outbound traffic to an arbitrary server that can cause disclosure of sensitive information. Additional information about this vulnerability is available at CVE-HTTPoxy.

On 1 March 2016, a new attack was released which is being referred to as DROWN - Decrypting RSA using Obsolete and Weakened eNcryption. This is a cross-protocol attack that exploits a vulnerability in SSLv2 to decrypt passively collected TLS sessions. Additional information about the vulnerability is available at CVE-2016-0800.

A vulnerability affecting DNS name servers based on ISC BIND was announced on 28 July 2015. This vulnerability could allow a remotely exploitable Denial of Service against name servers running ISC BIND. Additional information about the ISC BIND TKEY query handling vulnerability is available at CVE-2015-5477.

On 16 February 2016, a stack-based buffer overflow vulnerability in the GNU C library (glibc) was publicly disclosed. The flaw was discovered in the getaddrinfo() library function of the glibc. Applications using this function may be exploited by attackers by performing remote code execution on the affected device. Additional information about the vulnerability is available on the NIST website CVE-2015-7547.

On 6 August 2015, at the Black Hat security conference in Las Vegas, security researcher Christopher Domas demonstrated installing a rootkit in a PC's firmware. Domas nicknamed the demonstration a “memory sinkhole’. The attack exploited a feature built into x86 chips manufactured since the mid-1990’s until the 2011 release of Intel Xeon Processor E5-2600 Series (i.e., Sandy Bridge-EP).

The vulnerability exists in the Advanced Programmable Interrupt Controller (APIC), which could allow an attack against the System Management Mode (SMM) memory area used by the operating system to interface with the boot environment like BIOS, EFI, or UEFI. An attacker can exploit this vulnerability to utilise the most privileged of execution modes and potentially overwrite secure features in the boot environment. The demonstration exploit uses the UEFI code features to install a rootkit.

Potential Impact

HPE has investigated the potential impact of this issue on our Enterprise products (i.e., Servers, Storage and Networking) and determined that HPE ProLiant Gen8 and Gen9-series servers are not vulnerable, as Intel previously addressed this design flaw in Intel Xeon Processor E5-2600 Series and subsequent models of server processors. Please note that Intel Xeon Processor E5-2600 Series are used in ProLiant Gen8 servers.

In addition, HPE has investigated the potential impact of this issue on HPE ProLiant G5, G6 and G7-series servers and determined they are not vulnerable to the specific attack demonstrated by Christopher Domas at the Black Hat security conference. Intel is providing a microcode update for these servers which will prevent a potential security breach, if an attempt is made to exploit this vulnerability. As an added measure of security, HPE plans to implement this microcode in updated ProLiant System ROMs, which will be made available for download on HPE Support Center, at no cost to customers.

What can you do?

Please check back for updates to this page regarding the availability of updated System ROMs for ProLiant G5, G6 and G7-series servers.

On 9 July 2015, OpenSSL disclosed a flaw in the way alternative certificate chains are verified. This only impacts versions of OpenSSL released since June 2015: v1.0.2c, v1.0.2b, v1.0.1o and v1.0.1n. Exploitation of this vulnerability could allow an attacker to bypass certain certificate validation checks, enabling them to issue an invalid certificate. Additional information about the VENOM vulnerability is available on the NIST website CVE-2015-1793.

On 13 May 2015, a vulnerability was announced in the virtual floppy drive code used by many virtualisation platforms. Exploitation of this vulnerability could allow an attacker to escape from the affected Virtual Machine (VM) guest and potentially execute code on the host. Additional information about the VENOM vulnerability is available on the NIST website CVE-2015-3456.

On 27 January 2015, a buffer overflow vulnerability in GNU C library (glibc) was publicly disclosed. The flaw was discovered in the gethostbyname set of functions of the GNU C library (glibc) and could be used to execute arbitrary code. Additional information about the vulnerability is available on NIST website CVE-2015-0235.

On 14 October 2014, a vulnerability in the SSLv3 protocol was released. An exploitation of this vulnerability could allow an attacker to decrypt portions of encrypted traffic via a POODLE (Padding Oracle on Downgraded Legacy Encryption) attack. Additional information about SSLv3 POODLE vulnerability is available on NIST website CVE-2014-3566.

A recent Bash vulnerability affecting Unix-based operating systems, such as Linux and Mac OS X, was announced on 24 September 2014. Exploitation of this vulnerability may allow a remote attacker to execute arbitrary code on an affected system. More information about this issue is available at CVE-2014-7169.

On 8 April 2014, HP was notified of an OpenSSL vulnerability CVE-2014-0160 (now known as "Heartbleed"). This vulnerability has garnered a substantial amount of media attention. See resources section for link to National Vulnerability Database entry describing vulnerability in detail. OpenSSL is used in some HP products to provide encryption and SSL services.